The Federal Bureau of Investigation (FBI) is the United State’s federal law enforcement agency. With a history of thorough reporting, intelligence gathering and criminal justice services, the organization has a reputation for legitimacy and effectiveness due, in part, to its usage in pop culture and entertainment for decades. The FBI has also become the country’s primary enforcer of cybercrime investigations, along with the Cybersecurity & Infrastructure Security Agency (CISA). According to the FBI/s website:
“The FBI is the lead federal agency for investigating cyber attacks and intrusions. We collect and share intelligence and engage with victims while working to unmask those committing malicious cyber activities, wherever they are.”
It is the FBI’s importance in cybercrime defense and investigation, as well as the agency’s recent prominence in the field thanks to an escalation in breaches and ransomware attacks, that make the recent hack of the organization’s emails especially egregious.
What happened during the FBI email hack?
On November 13th, an unauthorized user sent out two waves of fraudulent emails from the FBI’s server. The emails originated from an official FBI email address, firstname.lastname@example.org, indicating that it was sent from the organization’s Law Enforcement Enterprise Portal (LEEP). The subject line was “Urgent: Threat actor in systems,” and the emails were found to have come from the FBI’s IP address.
The email warned of a “sophisticated chain attack” and accused Vinny Troia of being the “threat actor” responsible for said attack. Troia is a popular and well regarded cybersecurity researcher, author and investigator.
The emails, sent en masse, were noticed by cybercrime non-profit company SpamHaus. According to SpamHaus, the emails reached at least 100,000 people, although they believe more may have been sent out than they know. While the hack seems likely to be a prank, experts at SpamHaus have wanted that the fraudulent emails may be only a small portion of a more widespread attack.
In the second of two official statements made by the FBI regarding the attack and the influx of concerned communications they received as a result, the agency stated that “while the illegitimate email originated from an FBI operated server, that server was dedicated to pushing notifications for LEEP and was not part of the FBI’s corporate email service. No actor was able to access or compromise any data or PII on the FBI’s network. Once we learned of the incident we quickly remediated the software vulnerability, warned partners to disregard the fake emails, and confirmed the integrity of our networks.”
Who is responsible for the FBI email hack?
The hack was likely carried out in an effort to troll Troia, who has found himself on the receiving end of a variety of attempts to discredit his name and work by those related to the online hacking community RaidForums.
According to Troia, an individual known as “Pompompurin” has a history of sending him personal messages right before an effort to discredit him is engaged. This particular attack is no different, with Troia stating that Pompompurin sent him a message that read “enjoy” shortly prior to the FBI hack.
Additionally, security reporter Brian Krebs has also stated that he received an email from Pompompurin as well. The message, sent from an FBI email address in the midst of the email blasts, read “check headers of this email it’s actually coming from FBI server.”
In a further interview with Krebs, Pompompurin says that they executed the hack to point out the lapses in the FBI’s security.
“I could’ve 1000% used this to send more legit looking emails, trick companies into handing over data etc.,” said Pompompurin. “And this would’ve never been found by anyone who would responsibly disclose, due to the notice the feds have on their website.”
How was the FBI email hacked?
Pompompurin said that they were able to hack into the FBI’s server using a vulnerability they discovered on the organization’s Law Enforcement Enterprise Portal.
This online portal, until recently, allowed anyone to apply for an account to access resources that could be used in investigations after sending them a code used to verify their email address. According to Pompompurin, this one time code was actually leaked via the site’s HMTL. Pompompurin was then able to leverage the information available to them to achieve success.
Regarding the vulnerability, Pompompurin said “needless to say, this is a horrible thing to be seeing on any website. I’ve seen it a few times before, but never on a government website, let alone one managed by the FBI.”
Tellingly, the LEEP portal website also encourages visitors to view the site via Internet Explorer, a Microsoft web browser that is no longer supported by the company. Microsoft itself recommends that users no longer engage with Internet Explorer over security concerns due to the software being terribly out of date.
What happens now?
This hack, hot on the heels of the FBI’s recent warning to financial institutions about the dangers of ransomware, does more to discredit the agency’s competence with regard to cybersecurity than it does to discredit the name of Vinny Troia.
While it is fortunate that the vulnerability was discovered and used for what amounts to a prank as opposed to a full scale cyberattack, the fact that the agency has the reins with regard to cybercrime while operating an insecure website that is so out of date that they encourage users to view it with an unsupported web browser is disheartening. While these types of errors are unfortunately commonplace, the FBI should lead by example by instituting and mandating robust, modern, impeccable cybersecurity. Especially if the organization is to be the authority in matters involving data breaches and cybercrime.
Pompompurin is believed by Troia to be living in Calgary, Canada. With their history of hacking, Troia is surprised that the FBI has yet to work to apprehend them. However, he hopes that this recent FBI email hack may have embarrassed the organization enough to pursue criminal charges against Pompompurin.
Hacker sends spam to 100,000 from FBI email address by Kevin Collier, 13 Nov 2021, NBC News
FBI system hacked to email ‘urgent’ warning about fake cyberattacks by Ionut Ilascu, 13 Nov 2021, Bleeping Computer
FBI email server hacked, fake cyberattack alerts sent to thousands by Rachel Pannet, 14 Nov 2021, Washington Post
Identifying hacker Pompompurin: Fallout from the FBI email server hoax 16, Nov 2021, Shadow Byte
The FBI’s email system was hacked to send out fake cybersecurity warnings by Emma Roth, 14 Nov 2021, The Verge